Welcome to the January Hacks/Hacker meeting: Encrypted communications

1
Welcome to the January Hacks/Hacker meeting
Encrypted communications Keep up
with upcoming events about the future of
storytelling and data on the OpenDataSTL Meetup
page www.meetup.com/Open-Data-STL Hacks/Hacke
rs STL on Twitter www.twitter.com/STLHacksHac
kers Hacks/Hackers STL on Facebook www.facebo
ok.com/STLHacksHackers
2

• Why encrypt my emails and chats?
• Some people encrypt their communications in
  response to government-sanctioned surveillance,
  inside the US and overseas, on principle or
  because they are working with sensitive issues.
• Some email providers scan email content to serve
  customized advertising while you surf the web,
  but they can't read content you encrypt with your
  own keys.
• See Gmail Does Scan All Emails, New Google Terms
  Clarify, April 2014 at The Guardian.
• Signing and encrypting your emails and using
  encrypted chat programs preserves message
  integrity to prevent tampering.
• If no one else has your communication partner's
  key and passphrase, you can guarantee that your
  message will only be read by the intended
  recipient (and vice versa). Encrypted chat
  programs also offer verification tools.
• If someone steals your email account credentials,
  they won't be able to read your encrypted emails
  unless they also have your key passphrase.

3

• Today we're going to discuss
• CryptoCat an easy-to-use Firefox extension
• ChatSecure an Android chat app
• Enigmail an extension for encrypted email in
  Thunderbird
• GPG4Win a basic key manager for Windows
• Mailvelope a Firefox extension for encrypting
  email in-browser
• Tools for closed-source platforms are harder to
  find or are not free to use. We'll discuss
  solutions for other platforms at the end.

The Electronic Frontier Foundation Secure
Messaging Scorecard
4
Just because an app describes itself as secure
doesn't mean it makes any guarantee about
respecting your privacy or whether someone can
break their encryption. A good algorithm isn't
broken by allowing others to review it. We'll
discuss weaknesses in all systems, even good
ones, later in the presentation.
5

• CryptoCat
• A browser extension for Chrome, Firefox, Safari,
  Opera, OS X, and iPhone. Developed by Nadim
  Kobeiisi.
• Strengths
• Easy to use, thoroughly reviewed, and available
  for a wide range of platforms.
• Weaknesses
• Conversation names and nicknames should be
  exchanged in person beforehand.
• Vulnerable to keyloggers.
• If someone gets hold of your conversation
  partner's details, they can easily impersonate
  that individual.

6

• ChatSecure
• A chat client for iPhone, iPad, iPod Touch, and
  Android.
• Developed by The Guardian Project in the UK
  (check out their Orbot, Orweb, and ObscuraCam
  projects too!).
• Strengths
• Easy to set up a new chat account with Jabber and
  XMPP.
• Includes a challenge question function and ways
  to visually confirm that messages are being
  encrypted.
• Weaknesses
• A little buggy when trying to identify online
  users.
• No big flashing warning if your conversation
  partner fails the challenge question.

7
Before we move on to generating keys, let's cover
some basics. You can think of encrypting files
and emails with this diagram --------Sender-----
------ -----In transit----- --------Recipient-----
--- Message Encryption Ciphertext Decryption M
essage Public key Private key In
examples, cryptographers often use the names
Alice and Bob. Alice encrypts a message to Bob
with Bob's public key. The message cannot be
decrypted with Bob's public key. Alice then sends
the ciphertext to Bob, who decrypts the message
with his private key (unlocked, in most cases,
with a passphrase). A signature on an encrypted
document is a unique string that is a function of
your private key and the message. It proves that
only the person with access to the private key
could have sent the message, and also that the
message has not been tampered with.
8

• Good advice regardless of what tools you are
  using
• Most of them are only as secure as your
  passwords. Make sure you use passwords that you
  won't forget, and don't re-use passwords. Secure
  passwords are long, don't include whole words
  straight from the dictionary, include numerals
  and symbols, and are difficult to guess.
• Challenge questions and security questions are
  usually pretty easy to guess, so arrange with
  your conversation partner beforehand to make them
  difficult to predict.
• Exchange details in person or by another
  encrypted method because unencrypted traffic is
  often easy for attackers to read.
• If you really can't remember your password or
  other conversation method parameters (CryptoCat
  chatroom names, challenge questions and answers),
  write them down on paper and keep them somewhere
  safe, far away from your computer.
• If you loose your password to use your private
  key, there is no way to decrypt messages sent to
  you and you cannot revoke your certificate. Be
  careful!
• Keyloggers and malware can break many of these
  tools, so regular antivirus scans (regardless of
  your operating system) are vital to your security.

9
Enigmail An add-on for Mozilla Thunderbird and
Seamonkey email clients. Good instructions for
implementation at Email Self-Defense by the Free
Software Foundation. You will also need to
download Gnu Privacy Guard (GPG), the Windows
version of which is GPG4Win. During installation,
choose to install GPA. Enigmail will be in your
Thunderbird options. Click the arrow beside
Enigmail, click Key Management, and then click
Generate and select New Key Pair. Enter a
passphrase and then click Generate
Key. Enigmail also gives the option to generate
a revocation certificate, which lets you revoke
your key's validity if someone gets your private
key and passphrase. Generate the revocation
certificate and keep it in a safe place somewhere
other than your computer. Next, we're going to
test using the key for encrypting and decrypting
emails.
10
Open the Enigmail Key Management window,
right-click on your key, and click Send Public
Keys by Email. Send the email to
adele-en_at_gnupp.de subject line and content don't
matter yet. Don't encrypt the email, but you can
try signing it by clicking the pen icon in the
lower right corner of the email
window. Remember, even if your email is
encrypted, the subject line and email recipients
are never encrypted. Adele will send you an
email encrypted with your public key. Thunderbird
should prompt you to enter your passphrase to
decrypt it. Click the Decrypt button in the
mail toolbar. It will prompt you to add Adele's
public key (in the email) to Enigmail. Now send a
reply email to Adeleerasing the text in the body
of the email first and adding a brief message of
your own. Click on the key icon next to the pen
icon and choose to encrypt the email with Adele's
private key.
11
Signing keys and uploading to a keyserver An
important feature of asymmetric (public and
private) key encryption is the trust web. Someone
looking to communicate with you can search for
your public key through a keyserver and knows
that the one signed by other people you both know
and trust is the right one. Upload your key to a
keyserver by clicking on it, then Keyserver,
then Upload Public Keys. To sign a key, find
it by searching in Enigmail. Click on
Keyserver, then Search for keys. Select the
one you want and add it. Then right-click on it
in the Key Management pane and select Sign key.
12
Mailvelope A browser add-on for Firefox or
Chrome. It works for most web mail
applications. The documentation page is great
for instructing you on how to generate a key
pair, add public keys to your keyring, encrypting
and decrypting emails, and more. It does not
give you the ability to sign keys or upload them
to key servers.
13
Questions? If you know the answer, please feel
free to speak up. Now, time to sign!
14

• If you have Enigmail
• Find your fingerprint in the Key Management
  window by double-clicking on your key.
• Search for a key by its fingerprint by clicking
  Keyservers, then Search for keys, and enter
  the whole fingerprint in the search bar.
• Select it, add it to your keyring, and then
  right-click and sign it.
• If you're using GPA
• Find your fingerprint by clicking on your key.
• GPA prefers to find keys by key ID, which is the
  last 8 characters in the fingerprint.
• It will add the public key automatically if
  found. Right-click on it and select Sign keys.
• If you're using something else, ask for help!
• My fingerprint is 9C80 407F 9613 3D15 18B6 9816
  2BC1 4507 66F8 75A1
• Feel free to sign my key when you can!